Malicious PDF — malware analysis report

Static analysis result for SHA-256 c49fd94028212d1a…

MALICIOUS

PDF

35.1 KB Created: 2020-04-25 16:59:00 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 17a8c5e68fb12727907a18b1c0042287 SHA-1: d31c41ce59168d9efeb81f5ab310fe7b1b41a7d4 SHA-256: c49fd94028212d1a26a444088462f92c0847392ac11746bd58bfed19aad03d78
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a large number of external links, indicating a link farm strategy. One heuristic specifically flagged this as a 'PDF_SEO_LINK_FARM'. Another heuristic indicated the presence of instructions for executing Windows scripting tools, suggesting a potential for further malicious activity. The document body is heavily obfuscated and contains embedded URLs, reinforcing the link farm and potential execution vectors.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://chewoncakes.com/uploads/1/3/0/4/130483773/130483773.html#barabari+natok+bd+hd+720p+free
    • http://moreleafarm.com/uploads/1/3/0/7/130776228/5d4004cb228c.pdf
    • http://vorvia.info/uploads/1/3/1/4/131453747/d434cd95.pdf
    • http://curlingponddesigns.com/uploads/1/3/1/4/131453127/c5ee4596cc.pdf
    • http://peauetry.com/uploads/1/3/1/4/131438305/nibokamujibuni_baposojoxapo.pdf
    • http://coupon-eng.com/uploads/1/3/0/2/130270934/5862849.pdf
    • http://rebeccaharrisbooks.com/uploads/1/3/0/6/130639753/zosizi-bonowirodimux.pdf
    • http://ecoliving.store/uploads/1/3/1/4/131453560/e1866610446b.pdf
    • http://strategicimpactconsulting.net/uploads/1/3/0/2/130289296/vowetalijusa-rovugefetikuj-vibefesimipi.pdf
    • http://lovebettertoday.com/uploads/1/3/0/6/130620943/6480907.pdf
    • http://gilllyflowernovel.com/uploads/1/3/0/8/130813903/xelil.pdf
    • http://dimensionmanufacturing.net/uploads/1/3/1/4/131407164/a7583248ea3675.pdf
    • http://crossroadsjobsolutions.com/uploads/1/3/0/7/130740202/wodetozunoron-lirolojolatupos-visutivimarilom-petotowutep.pdf
    • http://profacctg-llc.com/uploads/1/3/1/4/131437222/7b63c076.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006130.bin
bbd9b91d15109eae48c7c0efe60fad83e41821716aac1a86751b7acbec3a81e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6130 7964 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.